BLOG

Is your website up? Are you sure?

It’s panicked gift-buying season, and I got mail this morning from Boutique Academia, part of their final push before Christmas.

They’re hoping for some Christmas sales in the next three days. They do make some lovely jewelry – ask Laura about her necklace some time – so I clicked on their mail.

That’s not good. I like Boutique Academia, and fixing email and dns problems is What We Do, so I took a look.

Safari isn’t quite as bad with not-exactly-truthful error messages as Internet Explorer, but I still don’t really trust it. Perhaps the problem is with the click-tracking domain in the email, rather than with boutiqueacademia.com? So I open the base page at http://boutiqueacademia.com, get redirected immediately to https://www.boutiqueacademia.com – which fails to load.

That’s pretty authoritative (DNS joke … never mind). The response says “NXDOMAIN”, which is DNS-speak for “no such domain”. It means that there isn’t any DNS record for www.boutiqueacademia.com – no A record, nor any DNS record of any other type for that hostname. And it isn’t something that can be caused by a temporary network glitch – it means that the DNS server for the domain says authoritatively “there’s no DNS record”.

This is beginning to look familiar. Lets see what the authoritative DNS servers for boutiqueacademia.com have to say.

There’s our problem. Boutique Academia are using hostdns4u.com to host the DNS for their domain – and hostdns4u.com are sending broken DNS responses. They’re responding with a CNAME to myshopify, the ecommerce site, but they’re also responding with the status “NXDOMAIN” – there’s no DNS record for this hostname.

That response violates the way DNS works. If it’s returning any matching DNS record – such as the CNAME – it should return a “NOERROR” status, not “NXDOMAIN”.

Where this gets interesting is when you ask what a DNS resolver will do with this invalid response. That’s not really defined, and different recursive resolvers will treat this response in different ways. Some will ignore the NXDOMAIN and return the CNAME record. Some will ignore the CNAME record and return NXDOMAIN.

That means that depending on which sort of DNS server your recipient is using everything may work perfectly, or any attempt to visit the website may give an error. If the DNS server you’re using is sloppy about NXDOMAINs you may never see the problem in your own web browser.

As far as I can tell this bug is specific to CNAME records, and exists at several DNS hosting companies.

The end result is that if you’re using an ecommerce or blog-hosting company that uses CNAMEs in your DNS zone to point to their servers (such as shopify or wordpress) and you’re hosting your DNS with a company that has this bug then a significant fraction of the Internet will not be able to reach your website.

You’ll see their opens and clicks on your email. If you’re using pay-per-click advertising you’re paying for each customer. But they’ll never see your site.

I’m not sure what fraction of the Internet is using recursive resolvers that are strict about invalid CNAME responses, but I’d guess it’s at least 20%. If your website suffers from this issue then you could get 25% more sales by moving your DNS hosting to a company that doesn’t suffer from this issue.

(I have told Boutique Academia about this issue. Hostdns4u.com have a cPanel error page for their website, so I didn’t try to contact them.)

It seems to be PowerDNS authoritative 3.something, mostly. I’m not sure what they do to it to break it that way, but I’m guessing it’s something to do with a misconfigured database backend.

One of the recursive resolvers that treats this as just an NXDOMAIN (correctly, imo) is PowerDNS recursive resolver, so you can find some discussion of it in the PowerDNS support places. Conclusion there, from the PowerDNS devs, seems to be that the authoritative server is misconfigured, but it’s not their bug.

I’m vaguely interested in getting to the bottom of it, but the issue seems to be mostly at the … yelp one-star … hosting places, who aren’t exactly responsive.

You can't technical your way out of the bulk folder. I wrote that a year and a half ago, and it's even more true today. Filters at the big webmail providers continue to evolve to meet new threats and new spamming techniques. Sending technically perfect mail won't get your mail into the inbox. Recipients have to want the mail and interact with the mail for good delivery.
No Comments